Your message dated Thu, 2 May 2019 09:17:03 +0200 with message-id <20190502091555.GA27284@debian.org> and subject line Re: Bug#928313: apt-key check for revoked keys has caused the Debian Bug report #928313, regarding apt-key check for revoked keys to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 928313: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928313 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: apt-key check for revoked keys
- From: Kurt Roeckx <kurt@roeckx.be>
- Date: Thu, 2 May 2019 00:17:24 +0200
- Message-id: <[🔎] 20190501221724.GA6210@roeckx.be>
Package: apt Version: 1.8.0 I have this in my apt keyring: /etc/apt/trusted.gpg -------------------- pub rsa4096 2015-06-11 [SC] C35E B17E 1EAE 708E 6603 A9B3 AD05 92FE 47F0 DF61 uid [ unknown] matrix.org (Debian signing key) <packages@matrix.org> sub rsa4096 2015-06-11 [E] But I know that that key has been revoked, and the revoked key is in my keyring: pub rsa4096/AD0592FE47F0DF61 2015-06-11 [SC] [revoked: 2019-04-12] C35EB17E1EAE708E6603A9B3AD0592FE47F0DF61 uid [ revoked] matrix.org (Debian signing key) <packages@matrix.org> But there doesn't seem to be any infrastructure to check that a key is revoked other than manually updating it. Kurt
--- End Message ---
--- Begin Message ---
- To: Kurt Roeckx <kurt@roeckx.be>, 928313-done@bugs.debian.org
- Subject: Re: Bug#928313: apt-key check for revoked keys
- From: Julian Andres Klode <jak@debian.org>
- Date: Thu, 2 May 2019 09:17:03 +0200
- Message-id: <20190502091555.GA27284@debian.org>
- In-reply-to: <[🔎] 20190501221724.GA6210@roeckx.be>
- References: <[🔎] 20190501221724.GA6210@roeckx.be>
On Thu, May 02, 2019 at 12:17:24AM +0200, Kurt Roeckx wrote: > Package: apt > Version: 1.8.0 > > I have this in my apt keyring: > /etc/apt/trusted.gpg > -------------------- > pub rsa4096 2015-06-11 [SC] > C35E B17E 1EAE 708E 6603 A9B3 AD05 92FE 47F0 DF61 > uid [ unknown] matrix.org (Debian signing key) <packages@matrix.org> > sub rsa4096 2015-06-11 [E] > > But I know that that key has been revoked, and the revoked key is > in my keyring: > pub rsa4096/AD0592FE47F0DF61 2015-06-11 [SC] [revoked: 2019-04-12] > C35EB17E1EAE708E6603A9B3AD0592FE47F0DF61 > uid [ revoked] matrix.org (Debian signing key) <packages@matrix.org> > > But there doesn't seem to be any infrastructure to check that a > key is revoked other than manually updating it. Well, if you manually insert keys, you manually gotta update it. >From our perspective, keyring files are read-only files shipped by packages and apt-key is deprecated, so we're not going to do anything here. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
--- End Message ---